practical "Padding Oracle Attacks" (cf travis' msg "padding attack vs. PKCS7" of Thu, 11 Jun 2009 11:37:16 -0500)...

'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps
by Dennis Fisher
September 13, 2010, 7:58AM

A pair of security researchers have implemented an attack that exploits the way that ASP.NET Web applications handle encrypted session cookies, a weakness that could enable an attacker to hijack users' online banking sessions and cause other severe problems in vulnerable applications. Experts say that the bug, which will be discussed in detail at the Ekoparty conference in Argentina this week [0], affects millions of Web applications.

The problem lies in the way that ASP.NET, Microsoft's popular Web framework, implements the AES encryption algorithm to protect the integrity of the cookies these applications generate to store information during user sessions. A common mistake is to assume that encryption protects the cookies from tampering so that if any data in the cookie is modified, the cookie will not decrypt correctly. However, there are a lot of ways to make mistakes in crypto implementations, and when crypto breaks, it usually breaks badly.

"We knew ASP.NET was vulnerable to our attack several months ago, but we didn't know how serious it is until a couple of weeks ago. It turns out that the vulnerability in ASP.NET is the most critical amongst other frameworks. In short, it totally destroys ASP.NET security," said Thai Duong, who along with Juliano Rizzo, developed the attack against ASP.NET.

The pair have developed a tool specifically for use in this attack, called the Padding Oracle Exploit Tool [1]. Their attack is an application of a technique that's been known since at least 2002, when Serge Vaudenay presented a paper at on the topic at Eurocrypt [2].

In this case, ASP.NET's implementation of AES has a bug in the way that it deals with errors when the encrypted data in a cookie has been modified. If the ciphertext has been changed, the vulnerable application will generate an error, which will give an attacker some information about the way that the application's decryption process works. More errors means more data. And looking at enough of those errors can give the attacker enough data to make the number of bytes that he needs to guess to find the encryption key small enough that it's actually possible.

The attack allows someone to decrypt sniffed cookies, which could contain valuable data such as bank balances, Social Security numbers or crypto keys. The attacker may also be able to create authentication tickets for a vulnerable Web app and abuse other processes that use the application's crypto API.

Rizzo and Duong did similar work earlier this year on JavaServer Faces and other Web frameworks that was presented at Black Hat Europe [3]. They continued their research and found that ASP.NET was vulnerable to the same kind of attack. The type of attack is known as a padding oracle attack and it relies on the Web application using cipher-block chaining mode for its encryption, which many apps do.



[1] Practical Padding Oracle Attacks


[3] <>


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to

Reply via email to